MU1 Module 4 Powerpoint

7/27/2019 MU1 Module 4 Powerpoint

1/23

Course Name: Internal Auditing and Controls

Module: 4

Module Title: Planning the Internal Audit

Lectures and handouts by:

Chuck Campbell

Copyright The Certified General Accountants Association of British Columbia. All rights reserved.

1

Planning the internal auditModule 4

This module covers the planning phase of internal

auditing. Internal audit planning ranges from

long-term planning which sets the overall

strategic audit direction for several years, to

annual audit plans and finally to planning a

specific audit engagement. A comprehensive

case study will help demonstrate the points

made in the course notes, readings andlectures.

2

Internal Auditing & ControlsModule 4

Part 1 Topic 4.1 The internal auditing process

Topic 4.2 Internal audit planning processPart 2 Topic 4.3 Long-term planning overview

Topic 4.4 Long-term planning risk assessment matrix

Topic 4.5 Long-term planning case study

Part 3 Topic 4.6 Short-term (annual) audit planning

Part 4 Topic 4.7 Engagement planning

Topic 4.8 Engagement planning case study

Part 5 Module summary Learning objectives

Recent examination questions

Assignment hints

3


2/23


Part 1

Topic 4.1 The internal auditing process

Topic 4.2 Internal audit planning process

4

Phases in the internal audit

process

1. The planning phase which determines what will be audited

and how frequently. This will be the subject matter of this

module.

5


process (contd)

1. The planning phase which determines what will be auditedand how frequently.

2. The examination phase where internal auditors perform

specific audits following the audit programs developed in the

planning phase. This phase consists of gathering audit

evidence, analyzing it and reaching conclusions on the

subject matter of the audit. (This will be covered in Module

5.)

6


3/23


process(contd)

1. The planning phase which determines what will be audited

and how frequently.

2. The examination phase where internal auditors perform

specific audits following the audit programs developed in the

planning phase.

3. The reporting phase in which the auditors report their

findings to the management of the audited unit and to senior

management. (This will be covered in Module 6 of this

course.)

7


process (contd)1. The planning phase which determines what will be audited

and how frequently.

2. The examination phase where internal auditors performspecific audits following the audit programs developed in theplanning phase.

3. The reporting phase in which the auditors report their findingsto the management of the audited unit and to seniormanagement.

4. The monitoring phase in which the internal auditordetermines the extent to which management hasimplemented corrective action to address reportedweaknesses and the degree to which the actions haveremedied the weaknesses. (This will also be addressed inModule 6.)

8

Purpose of internal audit planning

Audit planning is necessary in order to ensure that

the audit resources used produce the greatestbenefit for the organization. Long-term audit

planning involves identifying those the areas withthe greatest potential risk to the organization inorder to assess if managements efforts to keep therisks within acceptable levels are adequate and

effective. Annual audit plans and engagement plans

for specific audits carry through with maximizing thebenefit to the organization of its internal auditactivities.

9


4/23

Ethical considerations in the audit

process

Ethical considerations apply throughout the

internal audit process:

in the planning phase, you must incorporate theorganizations ethical policies and ethical

responsibilities;

in the examination phase, you must use ethical ways

of obtaining audit evidence;

in the reporting phase, you must report with fairness

and objectivity;

in the monitoring phase, you must use ethical

monitoring methods.

10

The internal audit planning

process

Internal audit planning consists of four steps:

1. Gaining knowledge of the organization.

11


process (contd)



2. Preparing the long-term audit plan.

12


5/23


process (contd)




3. Preparing the annual audit plan.

13


process (contd)




3. Preparing the annual audit plan.

4. Preparing plans for specific internal auditengagements, including developing audit programs.

14


Part 2

Topic 4.3 Long-term planning overview

Topic 4.4 Long-term planning risk assessment

matrix

Topic 4.5 Long-term planning case study

15


6/23

Overview of the long-term planning

process

1. Define the audit universe.

2. Perform an overall risk assessment.

3. Determine the frequency of audits.

4. Prepare the long-term audit plan (and have itapproved).

16

Defining the audit universe

The audit universe must consist of all auditable

activities or units. Auditable activities include:

policies, procedures and practices

cost centres, profit centres and investment centres

general ledger account balances

information systems

major contracts

17

Defining the audit universe (contd)

The audit universe must consist of all auditable

activities or units. Auditable activities include: major programs

organizational units such as product or service lines

functions such as purchasing, marketing, treasury

transaction systems such as sales or payroll

compliance with laws and regulations

geographical locations such as plants or sales offices

18


7/23

Performing an overall risk

assessment

In performing an overall risk assessment, the

internal auditor considers three factors:

1. controllability (which measures the ability of those in

the organization to control specific risks)

19


assessment (contd)

In performing an overall risk assessment, the

internal auditor considers three factors:

1. controllability (which measures the ability of those in

the organization to control specific risks)

2. likelihood that a weakness will occur (a combination of

inherent risk and control risk)

20


assessment (contd)

In performing an overall risk assessment, the internal

auditor considers three factors:

1. controllability (which measures the ability of those inthe organization to control specific risks)

2. likelihood that a weakness will occur (a combination ofinherent risk and control risk)

3. impact of that weakness, if it does occur

21


8/23


assessment (contd)

In performing an overall risk assessment, the internalauditor considers three factors:

1. controllability (which measures the ability of those inthe organization to control specific risks)

2. likelihood that a weakness will occur (a combination ofinherent risk and control risk)

3. impact of that weakness, if it does occur

The overall risk is the product of the likelihood and impact.

22

Using assurance maps

Assurance mapping can be performed to

identify significant risks with inadequate

coverage and areas of duplicated assurance

coverage.

The internal audit activity needs to consider

areas of inadequate coverage when

developing their audit plan.

23

Using assurance maps (contd)

An assurance map includes:

Identification of the significant risk category

who is responsible for managing the risk

risk assessments (likelihood and impact)

extent of external audit coverage of the risk

extent of internal audit coverage of the risk

extent of coverage by other assurance providers,both internal and external to the organization.

24


9/23

Using a risk assessment matrix

Current (or residual) risk is the product of

likelihood and impact after taking into accountthe effectiveness of risk management activities

(including internal controls).

Risk ranking for purposes of audit planning uses a

risk factor which is the product of likelihood,

impact and controllability.

25

Factors affecting the assessment of

likelihood or inherent risk

The complexity of the activity or function

The nature of the function, activity or operations

The frequency of changes in personnel or

procedures

Staff and managements grasp of operations

Environmental pressures

Competency of personnel

Expressed concerns of management

26

Factors affecting the assessment of

likelihood or inherent risk (contd)

Previous audit results

Managements response to prior auditrecommendations

Management and corporate values and attitudes

Competitive market conditions

Impact of government regulations

Political risk (particularly of foreign operations)

27


10/23 1

Factors in assessing the impact ofweaknesses

The financial impact

28

Factors in assessing the impact of

weaknesses (contd)


The impact on continuity of operations

29

Factors in assessing the impact

of weaknesses (contd)



The impact on competitiveness

30


11/23

Factors in assessing the impact

of weaknesses (contd)




The impact on customer service and

reputation

31


weaknesses (contd)




The impact on customer service and reputation

Legal consequences

32


weaknesses (contd)




The impact on customer service and reputation

Legal consequences

Impact on public or regulatory relations

33


12/23 1

Preparing the long-term audit plan

Input can be obtained from managers

throughout the organization.

The final risk rankings must reflect the

thinking of the internal audit group.

Auditable entities are ranked from highest to

lowest based on the three relevant factors

(likelihood, impact and controllability).

A risk-based audit plan is developed based

on the risk rankings.

34

Chuckle Belly Toys case study

Review the case study (Topic 4.5 in your

module notes).

Outline the advantages of preparing a risk-

based long-term audit plan.

Outline the process used in preparing a risk-

based long-term audit plan.

35

Internal Auditing & Controls

Module 4

Part 3

Topic 4.6 Short-term (annual) audit planning

36


13/23 1

The annual audit plan

1. The short-term or annual audit plan is based on thelong-term strategic internal audit plan.

37

The annual audit plan (contd)

1. The annual audit plan is based on the long-termstrategic internal audit plan.

2. The long-term plan should be up-dated to reflect thework done in the previous year.

38


1. The annual audit plan is based on the long-term

strategic internal audit plan.


3. Risk assessments should be reviewed annually toidentify significant changes to the organization (and therisks that it faces) and/or its risk management, controland governance processes.

39


14/23 1


1. The annual audit plan is based on the long-termstrategic internal audit plan.


3. Risk assessments should be reviewed annually toidentify significant changes to the organization (and therisks that it faces) and/or its risk management, controland governance processes.

4. Specific requests and concerns of management andthe audit committee should be taken into account.

40


1. The annual audit plan is based on the long-term strategicinternal audit plan.

2. The long-term plan should be up-dated to reflect the workdone in the previous year.

3. Risk assessments should be reviewed annually to identifysignificant changes to the organization (and the risks that itfaces) and/or its risk management, control and governanceprocesses.

4. Specific requests and concerns of management and theaudit committee should be taken into account.

5. Scheduling must take into account the specific skill setrequired for each audit engagement.

41


1. The annual audit plan is based on the long-term strategicinternal audit plan.

2. The long-term plan should be up-dated to reflect the workdone in the previous year.

3. Risk assessments should be reviewed annually to identifysignificant changes to the organization (and the risks that itfaces) and/or its risk management, control and governanceprocesses.

4. Specific requests and concerns of management and theaudit committee should be taken into account.

5. Scheduling must take into account the specific skill setrequired for each audit engagement.

6. Allowance must be made for new issues that may ariseduring the year.

42


15/23 1


Module 4

Part 4

Topic 4.7 Engagement planning

Topic 4.8 Engagement planning case study

43

Planning the internal audit

engagement

1. Obtain specific knowledge (background

information) about the unit to be audited.

2. Establish the audit objectives and scope for the

engagement.

3. Determine the audit methodology to be used.

4. Set audit criteria.

44

Planning the internal audit

engagement (contd)

5. Prepare staffing plans and time budgets.

6. Communicate with those to be audited.

7. Draft the audit program for the engagement.

45


16/23 1

Sources of information about the unit

to be audited

Organization charts

Mission statements Policy and procedure documents

Systems descriptions

Earlier internal audit reports

External auditors management letters

46

Sources of information about the unit

to be audited (contd)

Consultants reports

Management reports

Minutes of boards and committees

Corporate and operational plans

Budgets and forecasts

Discussions with management and other

personnel

47

The audit objectives and scope

The audit objectives must address the risks,

controls and governance processes

associated with the activity under review and

should be based on a preliminary

assessment of risk.

48


17/23 1

The audit objectives and scope (contd)

The audit objectives must address the risks, controlsand governance processes associated with the

activity under review and should be based on apreliminary assessment of risk.

The audit scope defines the function or

organizational unit to be reviewed and the activitiesand time period to be covered by the audit. Thescope must be wide enough to permitaccomplishment of the audit objectives for the

engagement.

49

Determine the audit approach or

methodology

The auditor will sometimes have a choice of approaches to theaudit to be performed. Specific methodologies such asinformation systems audits, control self - assessmentexercises, compliance audits, etc. may be appropriate for aspecific audit.

The methodology and approach must be designed taking intoaccount the audit objectives and scope and the riskassessment which has preceded the audit.

The methodology used will be designed to gather sufficient,appropriate evidence to allow the internal auditor to draw the

necessary conclusions concerning the risk management,control and/or governance processes for the unit and activitiesbeing audited.

50

Setting audit criteria

Audit criteria are the standards against which

actual performance is to be compared in

assessing the risk management, control and

governance processes of the unit being

audited. Audit criteria should be agreed with

the management of the unit being audited

prior to the start of audit work.

51


18/23 1

Sources of audit criteria

Sources of audit criteria include:

laws and regulations governing the organization

policies, procedures and directives

standards recommended by professionalassociations

authoritative literature

benchmarking studies

52

Sources of audit criteria (contd)

Sources of audit criteria include:

earlier internal audits

interviews with management of the organization

advice and counsel from subject matter experts

common sense and experience

53

The final steps in engagementplanning

1. Preparation of staffing plans and time budgets. (These

are based on the objectives, scope and methodology

of the engagement, considered in the light of actual

time taken in previous audits, the experience of the

staff to be assigned to the engagement, etc.)

54


19/23 1

The final steps in engagement

planning (contd)

1. Preparation of staffing plans and time budgets. (Theseare based on the objectives, scope and methodology

of the engagement, considered in the light of actualtime taken in previous audits, the experience of thestaff to be assigned to the engagement, etc.)

2. Communication with those to be audited. (Mattersdiscussed should include timing, objectives and scope,criteria, assistance needed from the units personneland the process for on-going communication during theaudit.)

55

The final steps in engagement

planning (contd)

1. Preparation of staffing plans and time budgets. (Theseare based on the objectives, scope and methodologyof the engagement, considered in the light of actualtime taken in previous audits, the experience of thestaff to be assigned to the engagement, etc.)

2. Communication with those to be audited. (Mattersdiscussed should include timing, objectives and scope,criteria, assistance needed from the units personneland the process for on-going communication during theaudit.)

3. Preparing the audit program. (This willbe considered indetail in Module 5 of the course.)

56

Connon Chemicals Inc. case study

Review the case study (Topic 4.8 in your

module notes).

Attempt to identify and assess the risks faced

by Connon Chemicals when using outside toll

manufacturers.

Establish the objectives and scope of an

audit of the companys toll manufacturing

activities.

57


20/23 2


Module 4

Part 5

Module summary -- Learning Objectives

Recent past examination questions

Assignment hints

58

Module 4 Learning Objectives

1. Identify the main phases of the internal

auditing process and explain their purposes;

explain how to incorporate ethics into the

process. (Level 1)

59


2. Outline the steps for preparing the different

types of plans in the planning phase of

internal auditing. (Level 1)

60


21/23 2


3. Explain the steps for preparing a long-term

audit plan, including how an audit universe

is defined and factors that may affect overallrisk assessment. (Level 2)

61


4. Explain how a risk-assessment matrix is

used for long-term audit planning. (Level 2)

62


5. Outline the process of preparing a long-term

audit plan. (Level 2)

63


22/23 2


6. Explain how the auditor plans a short-term

(annual) audit plan. (Level 2)

64


7. Design a specific audit engagement

(including determining the scope,

objectives, and audit criteria), and list seven

design areas that must be considered.

(Level 1)

65


8. Design a plan for a specific audit

engagement using information from a case

study. (Level 1)

66


23/23

Recent examination questions

The examination blueprint specifies that 8%-

10% of the questions on the course

examination will come from Module 4.

Typical examination questions:

Multiple choice questions

67

Assignment hints Assignment 2

Question 2 You may set out your answer as a table within aproperly formatted memo. The table should consist of onecolumn listing the risks to which Canadian Wood Toys Inc. isexposed and a second column setting out possible methods ofmitigating the identified risks.

Question 3 This question is typical of the exam questions for thiscourse. You are expected to outline your presentation usingMicrosoft Word. Your answer should set out the steps indeveloping a long-term audit plan and the use of a riskassessment matrix in doing so.

Question 4 Your answer should address the first six of the sevensteps in developing the audit plan for a specific internal audit

engagement (preparing the audit program is specificallyexcluded).

68

Date post:	14-Apr-2018
Category:	Documents
Upload:	cgastuff
View:	226 times
Download:	0 times

MU1 Module 4 Powerpoint

Documents